thank you for collaborating with your local hackers
DESCRIPTION
TRANSCRIPT
![Page 1: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/1.jpg)
© Bell Canada, 2009. Tous droits réservés
Thank you for collaborating Thank you for collaborating Thank you for collaborating Thank you for collaborating
with your local h4with your local h4with your local h4with your local h4¢¢¢¢k3r$ !k3r$ !k3r$ !k3r$ !
Christian “Check your Wifi” Frenette
Michel “You’ve been H4x0r3d!” Cusin
CSE Conference – Mont-Tremblant
October 16, 2009
____C:C:C:C:\\\\>format C:Y/N>format C:Y/N>format C:Y/N>format C:Y/N
![Page 2: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/2.jpg)
© Bell Canada, 2009. Tous droits réservés
Start to think out of the box…
… and realize what hackers know that you don't… !
Because they WILL use it to their advantage, against you or your customers !
![Page 3: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/3.jpg)
© Bell Canada, 2009. Tous droits réservés
Let’s try to think out of the box…
• How can we make 4 triangles, with 6 matches… ?
![Page 4: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/4.jpg)
© Bell Canada, 2009. Tous droits réservés
?
?
![Page 5: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/5.jpg)
© Bell Canada, 2009. Tous droits réservés
You have to think out of the box, just like the hackers do…
2
3
3
14
You know we’re getting at… Right ?
![Page 6: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/6.jpg)
© Bell Canada, 2009. Tous droits réservés
Overview of the presentation
• Public information gathering
• The WiFi Landscape
• Social Networks / Social hacking / Engineering
• Spamming, phishing & Cross-site Scripting
• The infamous Botnets
![Page 7: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/7.jpg)
© Bell Canada, 2009. Tous droits réservés
Public information gathering
• Whois, nslookup / dig, ARIN, RF monitoring, etc…
• Google (Maps / Earth, Groups, Blogs, Images, etc…)
• Wigle.net, Wireless Geographic Loggin Engine
• Enterprise Register
• Specialized tools (Maltego, Lazy Champ, Kismet, etc…)
• Social Networking Sites
• Did you know you were leaking that much..?Did you know you were leaking that much..?Did you know you were leaking that much..?Did you know you were leaking that much..?
![Page 8: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/8.jpg)
© Bell Canada, 2009. Tous droits réservés
The WiFi Landscape
• Use Radio frequencies
• Electromagnetic shared medium, think hub !
• Physical environment dependencies
• Users can move, Phy environment can change
• CSMA/CA instead CSMA/CD, or transmit and pray
• Indoor / outdoor
• Antenna pattern
• New security considerations
![Page 9: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/9.jpg)
© Bell Canada, 2009. Tous droits réservés
New vector to protect from….
• Protect network from unauthorized users
• Rogue AP, session hijacking, eavesdropping
• Protect users from unauthorized networks– Fake AP
NetworkNetworkNetworkNetwork UsersUsersUsersUsers
![Page 10: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/10.jpg)
© Bell Canada, 2009. Tous droits réservés
Don’t
• Disclose personal information in the SSID name of your network
• Relying on masking your SSID is useless:– Provide a false sense of security
– User don’t know and reach for other
– The stations are broadcasting the SSID they’re trying to reach anyway (Probe requests)
• Filtering MAC addresses is useless– Always transmit in clear text
– Easy to spoof
![Page 11: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/11.jpg)
© Bell Canada, 2009. Tous droits réservés
![Page 12: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/12.jpg)
© Bell Canada, 2009. Tous droits réservés
![Page 13: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/13.jpg)
© Bell Canada, 2009. Tous droits réservés
![Page 14: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/14.jpg)
© Bell Canada, 2009. Tous droits réservés
DOS attack require expensive equipements
• Micro-wave fork attack
• WiFi jammer
UsuallyUsuallyUsuallyUsually 2.450 2.450 2.450 2.450 GighzGighzGighzGighz, , , ,
justjustjustjust betweenbetweenbetweenbetween ChChChCh 8888----9, in 9, in 9, in 9, in
the ISM band and 500the ISM band and 500the ISM band and 500the ISM band and 500----
1000 watts !!! Vs AP 4 1000 watts !!! Vs AP 4 1000 watts !!! Vs AP 4 1000 watts !!! Vs AP 4
wattswattswattswatts
![Page 15: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/15.jpg)
© Bell Canada, 2009. Tous droits réservés
We are protected…
• We have firewall
– Facing Internet ! (dude!!!)
– We provide a corporate Lan access jack
• in the parking lot (WiFi)
• We don’t have any wireless… neither policies !
– Neither wireless detection, ;-(
– Laptop with WiFi card (ad-hoc mode)
Internet
![Page 16: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/16.jpg)
© Bell Canada, 2009. Tous droits réservés
Authentication & encryption
• We use encryption– WEP-RC4 or TKIP-RC4, AES-CCMP
• We use authentication– PSK or Enterprise (Eg: Radius)
– SSID, 802.1x, EAP-TLS, PEAP, etc, (PWD, Certificat)
– EAP, Sitting on WEP/TKIP, AES ?
– Always use strong password policy (LEAP—ASLEAP)
![Page 17: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/17.jpg)
© Bell Canada, 2009. Tous droits réservés
Working @ home
• I use WEP, WPA-PSK
– you are acting like a rogue AP, if your home network is not protect
• Anayway, I use VPN to connect to the office
– Your lucky, if it never drop when your not in front of your PC
– Enforce layer 2 security even if you use VPN
• All PCs at home are safe
– Kids PCs, Playstation, lots of treath from the inside
![Page 18: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/18.jpg)
© Bell Canada, 2009. Tous droits réservés
Rogue threats
• Good guys friendly/unaware
– Implement by users to facilitate network
access, always against organization policy
(when they exist…)
• Malicious
– To provide network backdoor
• Unintended
– Authorized but misconfigured equipment
![Page 19: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/19.jpg)
© Bell Canada, 2009. Tous droits réservés
Ad-Hoc mode
• Ad-hoc mode are insecure– All stations control the communication no APs
– Unencrypted or WEP• Look the same or very close
• With aircrack-ng you get the WEP key and import it in Wiresharkto decrypt on the fly.
– User may use windows bridging utility to give access to wire Lan from the ad-hoc segment
![Page 20: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/20.jpg)
© Bell Canada, 2009. Tous droits réservés
Free WiFi accesWonderfull Hot spot
• Hot spot controller only identifies authorized user by MAC+IP add
• At login, a popup logoff window is opened, normally block by popup-bloker
• Sessions stay active until inactivity timeout
• Excellent receipt for session Hijacking
– Script to monitor inactivity
– Spoof MAC and IP address (Pickupline)
![Page 21: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/21.jpg)
© Bell Canada, 2009. Tous droits réservés
Hot spot cont….
• Hotspot are identified only by SSID
• Station reach for the highest signal
• High power soft-AP may be use to capture clients
HotspotHotspotHotspotHotspot APAPAPAP
![Page 22: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/22.jpg)
© Bell Canada, 2009. Tous droits réservés
Hot spot…Sidejacking.
• Common for popular sites to do authentication
over HTTPS (Gmail)
– and reverts to HTTP after authentication
• Raison they can support HTTPS for all users
– HTTPS is an option you have to select
• The attack consist to retrieve the session cookie,
no need of your credentials
– Attacker can impersonate the user
– Doesn’t affect the active session
![Page 23: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/23.jpg)
© Bell Canada, 2009. Tous droits réservés
Hot spot injections Airpw
• begin page_html• match ^(GET|POST)• ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)• response content/page_html• -----------------------------------------------------------------
• HTTP/1.1 200 OK• Connection: close• Content-Type: text/html
• <html><head><title>HELLO CSE!</title>• </head><body>• <blink><font size=+5 color=red>• Hello CSE! I'm watching you !• </font>• </blink>• <p>
Internet
HTTP HTTP HTTP HTTP reqreqreqreq
sniffsniffsniffsniff
HTTP req
HTTPHTTPHTTPHTTP
responseresponseresponseresponse
![Page 24: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/24.jpg)
© Bell Canada, 2009. Tous droits réservés
Hot spot recommendations
• Lack of layer 2 security require stronger upper-layer defences
• Personal firewall, HIPS, AV is a must and
– Patch, patch, patch
• Restrict permitted SSID
• Use VPN tunnelled traffic at hotspots
• Security awareness for Hot spot utilisation
![Page 25: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/25.jpg)
© Bell Canada, 2009. Tous droits réservés
Black Berry
• They are secure, but users are not always
• Social engineering vulnerability
– Malware download, turn de BB into a remote
cam or microphone or redirect mail
![Page 26: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/26.jpg)
© Bell Canada, 2009. Tous droits réservés
6 things to consider
• Security policy
• Strong authentication
• Strong encryption
• Monitoring
• Auditing
• Security awareness
![Page 27: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/27.jpg)
© Bell Canada, 2009. Tous droits réservés
Social Engineering
What is social engineering?
Is there any social engineers in the room ?
![Page 28: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/28.jpg)
© Bell Canada, 2009. Tous droits réservés
Social Networks and Social Engineering
![Page 29: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/29.jpg)
© Bell Canada, 2009. Tous droits réservés
Social Engineering + Social Networks =
• Some people post their life – (Kids, vacations, etc..)
• Security relies on a username/password– Could be easy to get in
• ID spoofing – Could ask money to the victim’s known contacts
• Koobface– Worm – Infected 2.9M machines just in the US (Soc. Eng.)
• Install a Web Server and fake antivirus, send fake messages,
• Foils CAPTCHA, Steal Data,
• Hijack Web sessions, Change Domain Name System (DNS)
![Page 30: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/30.jpg)
© Bell Canada, 2009. Tous droits réservés
Social Networks and Social Engineering
• Microblog (Max 140 characters -> SMS)
• Security relies on a username/password– Could be easy to get in
• ID spoofing – Could ask money to the victim’s known contacts
• New way of spamming• Are used to control Botnets• All kind of information could be posted on it (same as forums, BB)
– Corporate
– Sensitive
– Etc..
![Page 31: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/31.jpg)
© Bell Canada, 2009. Tous droits réservés
Spam
• What is it ?
Did you know that 86.4% of all e-mail in Sep 09 was spam ?
• Who ?
• Why ?
• When ?
• How ?
![Page 32: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/32.jpg)
© Bell Canada, 2009. Tous droits réservés
Phishing
• What is it ?Did you know that 1 in 437 e-mails comprised a phishing attack?
• Who ?
• Why ?
• When ?
• How ?
• Here’s some examples…
![Page 33: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/33.jpg)
© Bell Canada, 2009. Tous droits réservés
Example of Phishing
![Page 34: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/34.jpg)
© Bell Canada, 2009. Tous droits réservés
Example of Phishing
![Page 35: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/35.jpg)
© Bell Canada, 2009. Tous droits réservés
Web Site (very popular)
Web Site (vulnerable to XSS)
User
XSS example
![Page 36: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/36.jpg)
© Bell Canada, 2009. Tous droits réservés
XSS example Web Site (very popular)
UserWeb Site
(vulnerable to XSS)
![Page 37: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/37.jpg)
© Bell Canada, 2009. Tous droits réservés
Another Example <Metasploit>
![Page 38: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/38.jpg)
© Bell Canada, 2009. Tous droits réservés
Spamming + phishing = Lo$$ & Profit$
Phishing
Spam
min
g
Lo$$ & Profit$
![Page 39: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/39.jpg)
© Bell Canada, 2009. Tous droits réservés
The infamous botnet
IRC client
Cuba
IRC Servers (Internet Relay Chat)
Relay
Japan
Relay
Russia
Relay
China
![Page 40: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/40.jpg)
© Bell Canada, 2009. Tous droits réservés
Methodes of propagation
![Page 41: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/41.jpg)
© Bell Canada, 2009. Tous droits réservés
X OK
![Page 42: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/42.jpg)
© Bell Canada, 2009. Tous droits réservés
![Page 43: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/43.jpg)
© Bell Canada, 2009. Tous droits réservés
Peer to peer botnet
![Page 44: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/44.jpg)
© Bell Canada, 2009. Tous droits réservés
Fast flux botnet
![Page 45: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/45.jpg)
© Bell Canada, 2009. Tous droits réservés
Botnet controled via Twitter
![Page 46: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/46.jpg)
© Bell Canada, 2009. Tous droits réservés
Botnet controled via Google Groups
![Page 47: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/47.jpg)
© Bell Canada, 2009. Tous droits réservés
FirewallAntivirus
Intrusion Detection
Security in surface…
![Page 48: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/48.jpg)
© Bell Canada, 2009. Tous droits réservés
FirewallAntivirus
Intrusion Detection
Security PolicySecurity Policy
Organizational SecurityOrganizational Security
Information ClassificationInformation Classification
Personnel SecurityPersonnel Security
Physical and EnvironmentalSecurity
Physical and EnvironmentalSecurity
Communications and Operations Management
Communications and Operations Management
Access ControlAccess Control
Systems Development and Maintenance
Systems Development and Maintenance
Business ContinuityManagement
Business ContinuityManagement
ComplianceCompliance
* 10 domains of security - ISO 17799
Security in depth
![Page 49: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/49.jpg)
© Bell Canada, 2009. Tous droits réservés
Information security sometimes
require solutions, that may not be in
“a box”…
![Page 50: Thank you for collaborating with your local hackers](https://reader034.vdocument.in/reader034/viewer/2022042623/549c9d31ac7959c92a8b47b4/html5/thumbnails/50.jpg)
© Bell Canada, 2009. Tous droits réservés
Questions ?Questions ?